hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yongjun Zhang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-13805) UGI.getCurrentUser() fails if user does not have a keytab associated
Date Wed, 25 Jan 2017 05:50:27 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-13805?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15837230#comment-15837230
] 

Yongjun Zhang commented on HADOOP-13805:
----------------------------------------

Thanks a lot for the review [~tucu00].

The failed test is actually an interesting one. It loginuser from subject, and expects the
renewal thread to be created to renew the credential. Because of the fix, no matter whether
we disable or enable the config, the condition for creating renewal thread is always false,
thus the test failed. The reason is that this test is created after HADOOP-13558, and it depends
on the behaviour of HADOOP-13558. Disabling the config will disable the HADOOP-13558 change,
enabling it will fix the wrong behavior, that's why this test can't work by simply disabling
or enabling the config.

Discussed with [~xiaochen] who originally created the testcase, we agreed upon a solution
that introduce a special field to allow the renewal thread be created for testing purpose.
Uploaded rev 008 with this solution. Would you please take a look again?

Thanks.

> UGI.getCurrentUser() fails if user does not have a keytab associated
> --------------------------------------------------------------------
>
>                 Key: HADOOP-13805
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13805
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.8.0, 2.9.0, 3.0.0-alpha2
>            Reporter: Alejandro Abdelnur
>            Assignee: Xiao Chen
>         Attachments: HADOOP-13805.006.patch, HADOOP-13805.007.patch, HADOOP-13805.008.patch,
HADOOP-13805.01.patch, HADOOP-13805.02.patch, HADOOP-13805.03.patch, HADOOP-13805.04.patch,
HADOOP-13805.05.patch
>
>
> HADOOP-13558 intention was to avoid UGI from trying to renew the TGT when the UGI is
created from an existing Subject as in that case the keytab is not 'own' by UGI but by the
creator of the Subject.
> In HADOOP-13558 we introduced a new private UGI constructor {{UserGroupInformation(Subject
subject, final boolean externalKeyTab)}} and we use with TRUE only when doing a {{UGI.loginUserFromSubject()}}.
> The problem is, when we call {{UGI.getCurrentUser()}}, and UGI was created via a Subject
(via the {{UGI.loginUserFromSubject()}} method), we call {{new UserGroupInformation(subject)}}
which will delegate to {{UserGroupInformation(Subject subject, final boolean externalKeyTab)}}
 and that will use externalKeyTab == *FALSE*. 
> Then the UGI returned by {{UGI.getCurrentUser()}} will attempt to login using a non-existing
keytab if the TGT expired.
> This problem is experienced in {{KMSClientProvider}} when used by the HDFS filesystem
client accessing an an encryption zone.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message